FBI Warns of Kali365: Device Code Phishing Now Bypasses MFA on Government Microsoft 365 Tenants

<p> <strong> Threat Assessment Level: ELEVATED </strong> (trending toward HIGH) </p> <p> <em> The convergence of FBI-validated credential theft tooling targeting Microsoft 365 device code authentication, an active cross-ecosystem supply chain campaign poisoning developer environments, and a foreign state breach of a government registry exfiltrating 600,000+ records demands immediate defensive action from state government IT leadership. </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government CIOs and CISOs face a compounding threat picture this week. The FBI issued a Public Service Announcement on 21 May 2026 warning of <strong> Kali365 </strong> , a Phishing-as-a-Service platform that captures OAuth tokens from Microsoft 365 environments &mdash; bypassing multi-factor authentication entirely. This isn't theoretical: the platform is actively distributed via Telegram, offers AI-generated lures, and exploits the same device code authentication flow that state government M365 GCC tenants rely on for shared kiosks and conference room devices. </p> <p> Simultaneously, a 34-package supply chain campaign called <strong> TrapDoor </strong> is stealing developer credentials across npm, PyPI, and Crates.io &mdash; and pioneering a novel technique that poisons AI coding assistants into exfiltrating secrets. And in Lithuania, a foreign state actor compromised inter-agency credentials to exfiltrate 600,000 records from a government property registry &mdash; an operation with direct parallels to how U.S. state agencies share identity infrastructure across departments. </p> <p> This report provides actionable intelligence for state agency leadership to defend against these converging threats. </p> <h2> <strong> What Changed This Week </strong> </h2> <table> <thead> <tr> <th> <p> Development </p> </th> <th> <p> Why It Matters for State Government </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> FBI PSA on Kali365 PhaaS </strong> (21 May) </p> </td> <td> <p> Directly threatens state M365 GCC tenants; bypasses MFA via device code flow </p> </td> </tr> <tr> <td> <p> <strong> TrapDoor supply chain attack </strong> (22 May) </p> </td> <td> <p> 34+ malicious packages across 3 ecosystems; novel AI assistant poisoning technique </p> </td> </tr> <tr> <td> <p> <strong> Lithuania government registry breach </strong> (confirmed May 2026) </p> </td> <td> <p> 600K records exfiltrated via compromised inter-agency accounts; Russian attribution suspected </p> </td> </tr> <tr> <td> <p> <strong> CISA adds 10 KEVs in 72 hours </strong> (20&ndash;22 May) </p> </td> <td> <p> Unprecedented patch velocity requirement; includes ICS advisories for building automation </p> </td> </tr> <tr> <td> <p> <strong> ABB/Hitachi/Siemens ICS advisories </strong> (21 May) </p> </td> <td> <p> Directly relevant to state building automation and energy grid oversight </p> </td> </tr> <tr> <td> <p> <strong> WhatsApp phishing of government officials </strong> (multi-country, confirmed) </p> </td> <td> <p> Russian-linked campaign intercepting verification codes from parliamentarians and staff </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Event </p> </th> <th> <p> Actor/Campaign </p> </th> <th> <p> Impact </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 20 May 2026 </p> </td> <td> <p> CISA adds 7 vulnerabilities to KEV catalog </p> </td> <td> <p> Multiple </p> </td> <td> <p> Accelerated patching required </p> </td> </tr> <tr> <td> <p> 21 May 2026 </p> </td> <td> <p> CISA adds 2 KEVs; publishes 4 ABB ICS advisories + Hitachi GMS600 + Siemens RUGGEDCOM </p> </td> <td> <p> Multiple </p> </td> <td> <p> State building automation/SCADA exposure </p> </td> </tr> <tr> <td> <p> 21 May 2026 </p> </td> <td> <p> FBI issues PSA on Kali365 PhaaS platform </p> </td> <td> <p> Criminal (Telegram-distributed) </p> </td> <td> <p> M365 OAuth token theft bypassing MFA </p> </td> </tr> <tr> <td> <p> 22 May 2026 </p> </td> <td> <p> CISA adds 1 KEV </p> </td> <td> <p> Multiple </p> </td> <td> <p> Continued patch pressure </p> </td> </tr> <tr> <td> <p> 22 May 2026 </p> </td> <td> <p> TrapDoor campaign begins publishing malicious packages </p> </td> <td> <p> Unknown (criminal/espionage) </p> </td> <td> <p> Developer credential theft; AI assistant poisoning </p> </td> </tr> <tr> <td> <p> 25 May 2026 </p> </td> <td> <p> BITWISE SPIDER (LockBit), PUNK SPIDER (Akira), REVENANT SPIDER (Qilin) show updated activity </p> </td> <td> <p> Ransomware operators </p> </td> <td> <p> No new gov-specific campaigns &mdash; but active development confirmed </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> Lithuania Centre of Registers breach investigation </p> </td> <td> <p> Russian state (suspected) </p> </td> <td> <p> 600K records including intelligence/military personnel data </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> Volt Typhoon / Salt Typhoon </p> </td> <td> <p> China-nexus </p> </td> <td> <p> Silence noted &mdash; pre-positioning in U.S. critical infrastructure continues without new public reporting </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Kali365: The MFA Bypass That Targets Your Exact Infrastructure </strong> </h3> <p> <strong> What it is: </strong> Kali365 is a Phishing-as-a-Service platform that abuses Microsoft's legitimate device code authentication flow. When a user is tricked into entering a code at microsoft.com/devicelogin, the attacker captures a full OAuth token granting access to Outlook, Teams, OneDrive, and SharePoint &mdash; without ever needing the user's password or MFA token. </p> <p> <strong> Why state government is uniquely exposed: </strong> State M365 GCC tenants typically have device code flow enabled for conference room displays, shared kiosks, and legacy integrations. The platform provides AI-generated lures mimicking IT helpdesk communications &mdash; exactly the kind of messages state employees are conditioned to trust. </p> <p> <strong> Validation: </strong> This finding is corroborated by the FBI PSA, Proofpoint research confirming "new device code phishing tools every week," and prior reporting on Tycoon2FA using the same technique. Confidence: <strong> MODERATE-HIGH </strong> . </p> <p> <strong> Relevant ATT&amp;CK Techniques: </strong> <strong> T1566.002 </strong> (Spearphishing Link), <strong> T1528 </strong> (Steal Application Access Token), <strong> T1078.004 </strong> (Cloud Accounts), <strong> T1114.002 </strong> (Remote Email Collection) </p> <h3> <strong> 2. TrapDoor: Supply Chain Attack Poisons AI Coding Assistants </strong> </h3> <p> <strong> What it is: </strong> Beginning 22 May 2026, attackers published 34+ malicious packages across npm, PyPI, and Crates.io (384+ versions total). The packages steal SSH keys, AWS credentials, GitHub tokens, and environment variables. The novel element: TrapDoor plants .cursorrules and CLAUDE.md files that inject hidden instructions into AI coding assistants (Cursor, Claude Code, GitHub Copilot), tricking them into running "security scans" that exfiltrate secrets. </p> <p> <strong> Why state government is exposed: </strong> State DevOps teams building citizen-facing portals, tax systems, and internal tools increasingly use AI coding assistants and open-source dependencies. A single compromised package in a CI/CD pipeline could expose cloud credentials, database connection strings, and API keys. </p> <p> <strong> Known malicious packages include: </strong> wallet-security-checker, eth-security-auditor, crypto-credential-scanner, prompt-engineering-toolkit, llm-context-compressor, sui-sdk-build-utils (34 total across 3 ecosystems) </p> <p> <strong> Attacker infrastructure: </strong> ddjidd564.github[.]io (GitHub Pages payload host) </p> <p> <strong> Relevant ATT&amp;CK Techniques: </strong> <strong> T1195.002 </strong> (Supply Chain Compromise), <strong> T1552.001 </strong> (Credentials in Files), <strong> T1555 </strong> (Credentials from Password Stores), <strong> T1543.002 </strong> (Systemd Service persistence) </p> <h3> <strong> 3. Lithuania Government Registry Breach: A Warning for State Agencies </strong> </h3> <p> <strong> What it is: </strong> Lithuania's Centre of Registers suffered unauthorized access resulting in exfiltration of 600,000+ records including personal identification numbers. The attacker gained access through compromised Migration Department accounts &mdash; exploiting inter-agency credential trust to reach a different agency's data. </p> <p> <strong> Why this is a direct parallel: </strong> U.S. state governments maintain analogous registries (property, tax, motor vehicles, vital records) and routinely share identity infrastructure across agencies via federated authentication. A compromise of one agency's service accounts can cascade to every connected system. </p> <p> <strong> Attribution: </strong> Lithuanian prosecutors confirmed foreign state origin. Opposition leadership attributes the operation to Russian intelligence. Confidence in Russian attribution: <strong> LOW </strong> (single source, investigation ongoing). </p> <p> <strong> Relevant ATT&amp;CK Techniques: </strong> <strong> T1078 </strong> (Valid Accounts), <strong> T1078.002 </strong> (Domain Accounts), <strong> T1530 </strong> (Data from Cloud Storage), <strong> T1537 </strong> (Transfer Data to Cloud Account) </p> <h3> <strong> 4. ICS/SCADA Advisory Surge: Building Automation and Energy Grid Exposure </strong> </h3> <p> CISA published advisories for <strong> ABB B&amp;R Automation Studio </strong> , <strong> ABB B&amp;R PCs </strong> , <strong> ABB B&amp;R Automation Runtime </strong> , <strong> ABB Terra AC Wallbox </strong> , <strong> ABB CoreSense </strong> , <strong> Hitachi Energy GMS600 </strong> (CVE-2022-4304), and <strong> Siemens RUGGEDCOM APE1808 </strong> (PAN-OS buffer overflow). These systems are deployed in state government building automation, EV charging infrastructure, and energy grid monitoring. </p> <p> Combined with the 10 KEVs added in 72 hours (20&ndash;22 May), the patch velocity requirement is unprecedented. State agencies with OT/ICS environments must prioritize these advisories. </p> <h3> <strong> 5. Persistent Nation-State Threats: Unchanged but Unresolved </strong> </h3> <table> <thead> <tr> <th> <p> Actor </p> </th> <th> <p> Origin </p> </th> <th> <p> Current Status </p> </th> <th> <p> State Gov Relevance </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> APT28 </strong> (GRU Unit 26165) </p> </td> <td> <p> Russia </p> </td> <td> <p> Destructive backdoor deployed 19&ndash;21 May; WhatsApp phishing of officials confirmed </p> </td> <td> <p> HIGH &mdash; targets government officials, messaging platforms </p> </td> </tr> <tr> <td> <p> <strong> APT29 / Midnight Blizzard </strong> </p> </td> <td> <p> Russia (SVR) </p> </td> <td> <p> Active; Lithuania breach potentially linked </p> </td> <td> <p> HIGH &mdash; government espionage </p> </td> </tr> <tr> <td> <p> <strong> Volt Typhoon </strong> </p> </td> <td> <p> China </p> </td> <td> <p> Silent this cycle &mdash; not assumed inactive </p> </td> <td> <p> CRITICAL &mdash; pre-positioned in U.S. critical infrastructure </p> </td> </tr> <tr> <td> <p> <strong> Salt Typhoon </strong> </p> </td> <td> <p> China </p> </td> <td> <p> Silent this cycle </p> </td> <td> <p> HIGH &mdash; telecom/infrastructure access </p> </td> </tr> <tr> <td> <p> <strong> APT43 </strong> </p> </td> <td> <p> North Korea </p> </td> <td> <p> Rapport-building campaigns active </p> </td> <td> <p> MODERATE &mdash; revenue generation, social engineering </p> </td> </tr> <tr> <td> <p> <strong> BITWISE SPIDER </strong> (LockBit) </p> </td> <td> <p> Criminal </p> </td> <td> <p> Updated 25 May, no new gov campaigns </p> </td> <td> <p> HIGH &mdash; historical state/local gov targeting </p> </td> </tr> <tr> <td> <p> <strong> PUNK SPIDER </strong> (Akira) </p> </td> <td> <p> Criminal </p> </td> <td> <p> Updated 25 May </p> </td> <td> <p> HIGH &mdash; active ransomware threat </p> </td> </tr> <tr> <td> <p> <strong> REVENANT SPIDER </strong> (Qilin) </p> </td> <td> <p> Criminal </p> </td> <td> <p> Updated 25 May </p> </td> <td> <p> MODERATE-HIGH &mdash; expanding target set </p> </td> </tr> </tbody> </table> <h2> <strong> Predictive Analysis: Next 7 Days </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional PhaaS platforms exploiting device code flow emerge </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> Proofpoint confirms "new tools every week"; low barrier to entry </p> </td> </tr> <tr> <td> <p> TrapDoor campaign expands package list; copycat campaigns target government-specific package names </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> Pattern of rapid iteration in supply chain attacks; government DevOps is undertargeted </p> </td> </tr> <tr> <td> <p> CISA adds Ivanti EPMM CVE-2026-1281/1340 to KEV catalog </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> Active exploitation campaign confirmed; Ivanti widely deployed in state government </p> </td> </tr> <tr> <td> <p> Ransomware group claims state/local government victim </p> </td> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> Statistical baseline given current actor tempo; all three major groups showing activity </p> </td> </tr> <tr> <td> <p> Volt Typhoon activity surfaces in new public reporting </p> </td> <td> <p> <strong> 25% </strong> </p> </td> <td> <p> Silence is operational security, not cessation; congressional pressure for disclosure continues </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> What to Monitor </p> </th> <th> <p> ATT&amp;CK ID </p> </th> <th> <p> Detection Logic </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> P1 </strong> </p> </td> <td> <p> Device code authentication events in Azure AD </p> </td> <td> <p> <strong> T1528 </strong> </p> </td> <td> <p> Alert on DeviceCodeUserLogin events in Azure AD sign-in logs, especially from unexpected geolocations, user agents, or for users who have never used device code flow </p> </td> </tr> <tr> <td> <p> <strong> P1 </strong> </p> </td> <td> <p> OAuth token grants with unusual scope </p> </td> <td> <p> <strong> T1078.004 </strong> </p> </td> <td> <p> Monitor for tokens granting Mail.Read, Files.Read.All, or Sites.Read.All via device code flow </p> </td> </tr> <tr> <td> <p> <strong> P2 </strong> </p> </td> <td> <p> npm/PyPI package installations in CI/CD </p> </td> <td> <p> <strong> T1195.002 </strong> </p> </td> <td> <p> Scan for any of the 34 TrapDoor package names in package.json, requirements.txt, Cargo.toml </p> </td> </tr> <tr> <td> <p> <strong> P2 </strong> </p> </td> <td> <p> Presence of .cursorrules or CLAUDE.md in repos </p> </td> <td> <p> <strong> T1195.002 </strong> </p> </td> <td> <p> File integrity monitoring on development repositories for AI assistant config files </p> </td> </tr> <tr> <td> <p> <strong> P3 </strong> </p> </td> <td> <p> Inter-agency service account anomalies </p> </td> <td> <p> <strong> T1078.002 </strong> </p> </td> <td> <p> Baseline normal access patterns for shared service accounts; alert on access to registries/databases outside normal hours or from new source IPs </p> </td> </tr> <tr> <td> <p> <strong> P3 </strong> </p> </td> <td> <p> ICS/OT network traffic anomalies </p> </td> <td> <p> <strong> T0831 </strong> </p> </td> <td> <p> Monitor ABB/Hitachi/Siemens device communications for unexpected outbound connections or firmware update attempts </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ul> <li> <strong> <strong> Hypothesis: </strong> An attacker has already obtained OAuth tokens via device code phishing and is silently reading executive email. </strong> </li> </ul> <ul> <li> <strong> Hunt: </strong> Query Azure AD sign-in logs for authenticationProtocol == deviceCode in the last 30 days. Cross-reference with impossible travel or unfamiliar device registrations. Check for mail forwarding rules ( <strong> T1114.003 </strong> ) created after device code authentications. </li> </ul> <ul> <li> <strong> <strong> Hypothesis: </strong> A malicious npm/PyPI package has been installed in a state agency CI/CD pipeline and is exfiltrating environment variables. </strong> </li> </ul> <ul> <li> <strong> Hunt: </strong> Audit all package-lock.json and requirements.txt files across repositories for packages matching TrapDoor names. Check CI/CD runner logs for outbound connections to ddjidd564.github[.]io. Review environment variable access patterns in build logs. </li> </ul> <ul> <li> <strong> <strong> Hypothesis: </strong> A compromised inter-agency service account is being used to access databases beyond its normal scope. </strong> </li> </ul> <ul> <li> <strong> Hunt: </strong> Pull authentication logs for all federated/shared service accounts. Build a baseline of normal database access patterns. Flag any account accessing property, tax, or vital records databases that historically only accessed its home agency's systems. </li> </ul> <h3> <strong> Blocking Actions </strong> </h3> <ul> <li> Block ddjidd564.github[.]io at web proxy and DNS resolver </li> <li> Consider blocking microsoft.com/devicelogin at the proxy level for all users except those with documented business need (conference room devices, kiosks) &mdash; implement via Conditional Access instead if possible </li> <li> Add TrapDoor package names to internal package registry deny-lists </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Tax Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Kali365 OAuth token theft targeting finance staff with access to payment systems and tax databases </li> <li> <strong> Action: </strong> Implement Conditional Access policies requiring compliant devices AND named locations for any access to financial applications. Review all OAuth app consents in the tenant for finance-related apps. </li> <li> <strong> Lithuania parallel: </strong> Tax registries containing SSNs and financial data are high-value targets for state-sponsored exfiltration. Audit inter-agency access to tax databases. </li> </ul> <h3> <strong> Energy (State Energy Office, Utility Oversight, Building Automation) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ABB/Hitachi/Siemens ICS vulnerabilities (ICSA-26-141-01 through -05); Volt Typhoon pre-positioning </li> <li> <strong> Action: </strong> Inventory all ABB B&amp;R, Hitachi Energy GMS600, and Siemens RUGGEDCOM devices in state facilities. Apply patches per CISA advisories. Verify network segmentation between IT and OT environments. Ensure no direct internet connectivity for ICS devices. </li> <li> <strong> CVE-2022-4304 </strong> (OpenSSL timing side-channel in Hitachi GMS600) requires firmware update. </li> </ul> <h3> <strong> Healthcare (State Health Department, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware (BITWISE SPIDER/LockBit, PUNK SPIDER/Akira) targeting health data; credential theft via Kali365 for access to Medicaid PII </li> <li> <strong> Action: </strong> Verify offline backups of Medicaid enrollment databases. Ensure health system portals are not using any of the 34 TrapDoor packages. Conduct tabletop exercise for ransomware scenario affecting benefits processing. </li> </ul> <h3> <strong> Government (All Executive Branch Agencies) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Russian state-sponsored credential compromise and registry exfiltration (Lithuania model); WhatsApp/Signal phishing of officials </li> <li> <strong> Action: </strong> Brief all senior officials on messaging platform verification code phishing &mdash; never share codes. Audit all inter-agency service accounts and apply least-privilege. Implement break-glass alerting for any service account accessing databases outside its designated scope. </li> <li> <strong> APT28 </strong> WhatsApp phishing ( <strong> T1111 </strong> , <strong> T1566.002 </strong> ) is confirmed targeting government officials across multiple countries. </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Port Authorities, Transit Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Volt Typhoon pre-positioning in transportation infrastructure; ICS vulnerabilities in traffic management and transit SCADA </li> <li> <strong> Action: </strong> Conduct network segmentation audit for all OT systems managing traffic signals, transit operations, and port logistics. Verify that Siemens RUGGEDCOM devices (if deployed in transportation networks) have current PAN-OS firmware. Implement enhanced monitoring for lateral movement from IT to OT networks. </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🔴 </strong> </p> </td> <td> <p> <strong> CISO/IAM Team </strong> </p> </td> <td> <p> Block device code authentication flow in Azure AD Conditional Access policies. Create narrow exceptions only for documented legitimate use cases (conference room devices, shared kiosks). Kali365 is actively exploiting this flow. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 </strong> </p> </td> <td> <p> <strong> SOC </strong> </p> </td> <td> <p> Create detection rule for DeviceCodeUserLogin events in Azure AD sign-in logs. Alert on any device code authentication from unexpected geolocations or user agents. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 </strong> </p> </td> <td> <p> <strong> DevOps </strong> </p> </td> <td> <p> Audit all repositories for .cursorrules, CLAUDE.md, and similar AI assistant configuration files. Remove unauthorized entries immediately. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 </strong> </p> </td> <td> <p> <strong> Network Security </strong> </p> </td> <td> <p> Block ddjidd564.github[.]io at DNS and web proxy. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> <strong> DevOps </strong> </p> </td> <td> <p> Scan all CI/CD pipelines for TrapDoor package names. Pin all npm/PyPI dependencies to exact versions with hash verification. Implement package allow-listing for production builds. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> <strong> OT/Facilities </strong> </p> </td> <td> <p> Apply patches for ABB B&amp;R Automation Studio, B&amp;R PCs, B&amp;R Automation Runtime, Hitachi Energy GMS600, and verify Siemens RUGGEDCOM APE1808 firmware per CISA ICS advisories ICSA-26-141-01 through -05. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> <strong> Security Awareness </strong> </p> </td> <td> <p> Issue all-staff advisory on WhatsApp/Signal verification code phishing. Key message: never share verification codes received via SMS, even if the request appears to come from IT or a colleague. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 </strong> </p> </td> <td> <p> <strong> IAM Team </strong> </p> </td> <td> <p> Audit all OAuth application consents in M365 GCC tenant. Revoke any suspicious or overprivileged app registrations. Implement admin consent workflow for new app registrations. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> <strong> CISO </strong> </p> </td> <td> <p> Evaluate complete elimination of device code flow in M365 GCC tenant. Document all legitimate dependencies and architect alternatives (QR code sign-in, FIDO2 for shared devices). </p> </td> </tr> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> <strong> IR Team </strong> </p> </td> <td> <p> Conduct tabletop exercise simulating a property/tax registry breach via compromised inter-agency service accounts (Lithuania scenario). Test detection, containment, notification, and recovery procedures. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> <strong> Enterprise Architecture </strong> </p> </td> <td> <p> Review all inter-agency service accounts and federated identity trusts. Implement just-in-time access for cross-agency database queries. Eliminate standing privileges where possible. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 </strong> </p> </td> <td> <p> <strong> CISO </strong> </p> </td> <td> <p> Commission assessment of AI coding assistant usage across state development teams. Establish policy for approved tools, configuration file governance, and supply chain security requirements for AI-assisted development. </p> </td> </tr> </tbody> </table> <h3> <strong> Executive/IR Preparedness </strong> </h3> <ul> <li> <strong> CIO Decision Required: </strong> Approve emergency Conditional Access policy change to block device code authentication flow (Kali365 mitigation) </li> <li> <strong> CISO Decision Required: </strong> Direct DevOps teams to conduct emergency dependency audit for TrapDoor packages </li> <li> <strong> IR Readiness: </strong> Ensure incident response playbooks cover OAuth token compromise scenarios &mdash; traditional credential reset does NOT invalidate stolen OAuth tokens. Token revocation procedures must be documented and tested. </li> </ul> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following indicators are confirmed from intelligence collection and should be added to blocking infrastructure: </p> <table> <thead> <tr> <th> <p> Type </p> </th> <th> <p> Value </p> </th> <th> <p> Context </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> ddjidd564.github[.]io </p> </td> <td> <p> TrapDoor supply chain attack payload host </p> </td> </tr> <tr> <td> <p> File </p> </td> <td> <p> trap-core.js </p> </td> <td> <p> Shared malicious npm payload across TrapDoor packages </p> </td> </tr> <tr> <td> <p> File </p> </td> <td> <p> .cursorrules </p> </td> <td> <p> AI assistant poisoning configuration (check repos for unauthorized instances) </p> </td> </tr> <tr> <td> <p> File </p> </td> <td> <p> CLAUDE.md </p> </td> <td> <p> AI assistant poisoning configuration (check repos for unauthorized instances) </p> </td> </tr> </tbody> </table> <p> <em> Additional IOCs for the campaigns discussed in this report &mdash; including indicators for Kali365 infrastructure, APT28 operations, and ransomware group C2 &mdash; are available through Anomali ThreatStream and partner feeds. </em> </p> <h2> <strong> Bottom Line </strong> </h2> <p> The intelligence picture this week delivers a clear message: <strong> identity infrastructure is the battleground </strong> . Kali365 exploits device code flow. Lithuania's breach exploited inter-agency credential trust. TrapDoor exploits developer credential storage. Three different campaigns, three different actors, one common thread &mdash; whoever controls the tokens controls the kingdom. </p> <p> State government M365 GCC tenants with device code flow enabled are running with an open door that the FBI has now publicly confirmed attackers are walking through. The mitigation is architectural, not behavioral &mdash; no amount of security awareness training will stop a user from entering a device code when the phishing lure is AI-generated and contextually perfect. </p> <p> Block the flow. Audit the tokens. Segment the trust boundaries. The threat actors are not waiting. </p> <p> <em> Anomali CTI Desk | 2026-05-25 | TLP:GREEN </em> </p> <p> <em> This report is derived from intelligence collected through 2026-05-25. Threat assessment levels reflect analyst judgment based on corroborated multi-source intelligence. Organizations should adapt recommendations to their specific environment and risk tolerance. </em> </p>